Using IIS on a standalone Win2003 server. Users hit the server IP from any
workstation on the LAN and get the default web page. Setup has been in place
for about a year with no problems.  Last week, we start getting errors when
users try to hit the site. Users get "Authentication Required" popup when
they use their bookmark to get to the site.

First time this happened, entering the admin user credentials would allow
the user to proceed to the default web site. That is no longer the case; no
credentials are validated. Have verified user/pw for the admin user on the
server, so that is not the issue.

Point is, we should *never* need to authenticate to get to this page. I went
into IIS Manager and checked the Directory Security settings.  "Enable
anonymous access" is selected. Down below, in the "Authenticated Access"
area, it had shown "Integrated Windows authentication" for when anonymous
access was disabled, or when NTFS permissions caused restrictions.

I have not been at the keyboard of this server for over a month, prior to
this issue arising last week. It is not auto-updating--i.e. zero changes have
been made that could account for this. I have tried disabling the Windows
Authentication, then restarting. I have tried using admin user to get past
authentication; only worked the first few times (?). I've tried changing the
password for the IUSR_computername user both in the Local Users and Groups
and in IIS Manager. Nothing is working. 

Some random changes do happen. I had taken off the Integrated Windows
authentication, restarted the server, took a screenshot of IIS Mgr with that
setting *off*. Users had access to the default web page. 30 min. later, same
problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has
physical or remote access to this sever except me, and except for users'
access to the default web page.

When at the server console, typing the server IP in the web browser yields
"authentication required." Typing "localhost" takes me to the default web
page. Now, that's just weird.

Any help would be oh-so-appreciated!

On Nov 26, 8:51 am, awshaffer <awshaf***@discussions.microsoft.com>
wrote:

Show quote

Hide quote

Anonymous access and Authenticated Access does *NOT* mean that you
*never* need to authenticate to get to a page. You MUST understand
this point. A user ALWAYS need to authenticate to get to ANY content
on Windows because content on NTFS is ACL'd. The question is *who*
does the automatic authentication, client or server, such that you
have the illusion of never needing to authenticate.

http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_Denied_to_Administrators_or_Anonymous_User.aspx


My suspicion is that this is not an IIS issue. You said that you had
not changed server configuration. I add that IIS doesn't change
configuration on its own -- it does not have a user token with
permissions to change its own configuration. Your type of issue
usually indicate some combination of :
1. Domain Controllers pushing down security policies, user/ACL
lockdown, configuration scripts, etc that prevent proper functioning
of IIS (*very* frequently the culprit)
2. Something else on the server is crashing inetinfo.exe and reverting
your IIS configuration changes (for example, if you run in IIS5
Compatibility Mode, or if you run other applications in inetinfo.exe)
3. Security attacks (intentional or unintentional) on the IIS
anonymous account that cause account lockout (for example, the Guest
group may get locked down by group policy, or you change the anonymous
user's password to be out of sync with the cached value in metabase,
etc)
4. Something else is authenticating on IIS and overriding IIS's
configured behavior (for example, someone installed/activated custom
authentication ISAPI Filter)

Your observation with "localhost" and IP going to different places
indicate either a networking problem or user misconfiguration/
misunderstanding of IIS. For example, you could have a website with
host header of "localhost" that can funnel your localhost requests to
one website (with one set of behaviors) and those with IP to another
website (with different behaviors). Or DNS could be messed up on your
internal network such that localhost is resolving to another computer
and not this IIS server, etc. In order for your result to be weird,
you have to show that the request to "localhost" and by IP was
serviced by the SAME IIS Website and server, and even then, there are
other possible explanations.


I recommend you read the following blog entries to get an
understanding of how to troubleshoot and use the IIS-related logs, and
what each 401 means in an IIS log file:
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx

My experience with your type of "funny" behavior with IIS is that it
is rarely an IIS bug/issue. It is almost always something external,
related to security or lockdown from a domain policy, whose unintended
effects on IIS gets recognized as the "funny" behavior because people
use web applications on IIS. Thus, I recommend against fiddling with
any IIS settings and always start from "what does IIS log files
complain about being the problem" and go from there.

My suspicion is that you've always had a network misconfiguration that
is just now exposed, and you had an external security policy applied
to lock down this IIS server from functioning. I highly recommend just
looking around for clues and not changing any IIS server
configuration.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Thanks for a *very* complete and quick reply. You've given me a lot to check
into. Some responses to points you raise:

Right, just meant that from a user standpoint, they never had to enter
credentials, and now they are being required to do so. I'm assuming, in fact,
that this is some sort of authentication issue, which is why I changed the
IUSR pw.


Thanks for the reference!
No DC here, so should not be that, no?

Very likely. Will work to check those out.

Very possibly. When you refer to cached value in the metabase, that gets
renewed  if I go into IIS Mgr and change the pw for the anon user, does it
not?

Should be very unlikely, but I'll track it down. Thanks.

Yep, although, again, this should not be new. Something had to *cause* it.
I've gone directly to the IP w/out errors, so something has changed.

For example, you could have a website with
No other IIS Websites present, no other Win2k3 servers present, no entries
in DNS that account for this, but I agree with your premise.

Thanks very much. I'll head over to those, as well!
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

Show quote

Hide quote

Thanks for a great combination of detail and summary info!
tony

Show quote

Hide quote

Something I should have clarified in the first post (sorry): error is 401.1,
so it's specifically due to invalid credentials. I've gone back and looked at
the ACL, and the admin user has the proper permissions. Also created a new
user to run as anonymous, disabled the IUSR account and gave the new user
explicit allows on the ACL for the wwwroot directory. Went into IIS mgr and
identified the new anon user as the anon user. No change, still not working.

One thing that made sense was a security lockout, as you mention, David, but
that should not be possible with a newly-created user..., no?

On Nov 27, 10:01 am, awshaffer <awshaf***@discussions.microsoft.com>
wrote:
401.1 error tells me to look at user privileges, Application Pool
identity, and credentials/passwords. ACLs, IIS Authentication
configuration, ISAPI, etc are usually not involved.

I would start looking at securiy lockout by group membership, missing
logon privileges by group membership, or even change of how IIS
performs user login for authentication (which is configurable but
should not have changed).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Exactly. That's my frustration--it cannot be nothing, but it can only be a
limited number of somethings, and it's not any of the somethings. Frankly,
I'm feeling now like I've either got a corrupt file somewhere that I just
cannot track down using any avail monitors, or a ditto for a security issue.
Came in today and tried to logon to the server console and got  "not enough
storage is available to process this command". All the references I find to
this have to do with apps running on a functioning o/s, or to Dell
Poweredges, which this is not. 

Rather than leave my whole site w/out access to the things they need, I'm
going to stop my pitiful troubleshooting attempts, blow the thing away and
recreate it. Thanks for all your help and for teaching me a lot that I did
not know.

Can't get in, so I can't check any of that, but to the extent that I had
looked at those issues before, none was the cause. Yesterday I had the
developer who wrote the app I was using with IIS remote in and drive that
server for a couple hours, and he could not explain the error. 

Thanks again,
tony

Show quote

Hide quote

At the end, it sounds like something was leaking memory on your system
(probably non-paged pool) such that it prevented login.

You'd be able to determine that from a Kernel Debugger attached to
this machine. And figure out what's leaking that memory because it'll
eventually cause IIS to return "Connections_Refused" (which I also
have a blog entry about).

Now, this sort of thing does not happen suddenly on its own. You must
have had some hardware of software change at a system level which is
causing this issue.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Nov 28, 8:03 am, awshaffer <awshaf***@discussions.microsoft.com>
wrote:

Show quote

Hide quote

Kerberos
Possible to write plug-in to handle password expiry etc.?
Basic Authentication fails with Error 401.2 where Integrated succe
can't install user certificcate from other ad domains
FTP directory security setup.